Local admin vs user placed in local admin group

Similar Messages

• DPM 2012 still requires put end users into local admin groups for the purpose of end user data recovery?

  On client computers that are protected by DPM 2010 and prior versions, you had to put the end users account in the local administrators group. If you did not add the end user account to the local administrators group you would get this error after opening
  the recovery tab in the DPM client: “DPM found no recovery points which you are authorized to restore on the specified DPM server. You can restore only those recovery points for which you were an administrator at the time the
  backup was taken. To restore other recovery points, contact your DPM administrator, or attempt to restore from another DPM.”  This is not ideal on many networks because the end users are not allowed to have local administrator access.
  Ths fix to this was included in hotfix 2465832 found here: http://support.microsoft.com/kb/2465832.
  This hotfix (a hotfix rollup package for DPM 2010) resolves other issues with DPM 2010 as well. You can find the full list of what this hotfix corrects on that link.
  One would think this issue should have been resolved in DPM 2012, however I am encountering the same exact issue, had to include end-users into the workstation local admin group before they can search for recovery points on the DPM server. This is not acceptable
  practice.
  Is there a new hotfix for the same issue on DPM 2012? I am hesitated to apply KB2465832 since it also includes many other fixes for DPM 2010, which may not appicable for version 2012.
  Please help.
  Thanks,

  This is a hands off solution to allow all users that use a machine to be able to restore their own files.
  1) Make these two cmd files and save them in c:\temp
  2) Using windows scheduler – schedule addperms.cmd to run daily – any new users that log onto the machine will automatically be able to restore their own files.
  <addperms.cmd>
  Cmd.exe /v /c c:\temp\addreg.cmd
  <addreg.cmd>
  set users=
  echo Windows Registry Editor Version 5.00>c:\temp\perms.reg
  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection]>>c:\temp\perms.reg
  FOR /F "Tokens=*" %%n IN ('dir c:\users\*. /b') do set users=!users!%Userdomain%\\%%n,
  echo "ClientOwners"=^"%users%%Userdomain%\\bogususer^">>c:\temp\perms.reg
  REG IMPORT c:\temp\perms.reg
  Del c:\temp\perms.reg
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Regards, Mike J. [MSFT] This
  posting is provided "AS IS" with no warranties, and confers no rights.
  That's a good one! Thanks for that.
  I've been scripting on KIX for some time, so here is mine, hope it helps to someone... (it's probably not the best, but it works)
  ========================================================================
  $RC=setoption("WOW64AlternateRegView","on") 
  $DPMkey = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Data Protection Manager\Agent\ClientProtection"
  $uservariable = "%userdomain%\%username%"
  If KeyExist ($DPMkey)
  $Userstring=ReadValue($DPMkey, "ClientOwners")
  If $Userstring == ""
  WriteValue($DPMkey,"ClientOwners", $uservariable, "REG_MULTI_SZ")
  ? "Key created"
  else
  If not instr($Userstring,$uservariable)
  $Userstring = "$Userstring,$uservariable"
  WriteValue($DPMkey,"ClientOwners", $Userstring, "REG_MULTI_SZ")
  EndIf
  Endif
  EndIf
  ==========================================================================
  The problem actually is that you still need to use an admin account to write on the registry, so ensure you configure it properly on the schedule task.
  In case you use a service account on the schedule task... the "$uservariable" will get populated with that account. As a work around to this... I changed it for the following line:
  =========================================================
  $uservariable = ReadValue("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI", "LastLoggedOnSAMUser")
  =========================================================
  The only problem with that, is that key gets created/updated only if user gets logged phisically on that PC, but will not work for anyone connecting through RDP.

• Can not add Domain User to Local Admin Group Win8.1

  Hello, 
  I am trying to add a domain user to the local admin account on a Win8.1 Enterprise computer. When I click the check name button it asks me to enter network credentials even though I am signed in to the computer with a domain admin account. When I try to
  type in any of my domain admin accounts it says "The Username or Password is incorrect". Even though I used that same account to login with. I can successfully ping all 3 of my DCs from the computer and have tried putting my second DC as the primary
  DNS and my third DC as the primary DC and same problem. I have checked for Active Directory errors on the DC and everything says it is running fine on the DC in server manager. I have this problem on multiple computers. Some of the computers it will work on
  but 90% of them it won't allow me to add the local user to the local admin group. 
  DCs are running Win Server 2008 R2 Enterprise. 
  Any help would be greatly appreciated. 
  Thank You

  I would suggest you to use Restricted Group(via GPO) to add domain users/group to a local admins group 
  1)Create a new group in Active Driectory
  Create a new group in Active Driectory that you wish to add to every workstations local administrator group. DO NOT add any users to this group at this time.
  2.
  Create a new GPO
  Create a new group policy object and link it to the desired OU. Make sure that the GPO you are using covers the OU that the WORKSTATIONS you are wanting to give users local administrative rights over.
  3.
  Edit the newly created GPO
  Navigate within the newly created GPO to Computer Configuration -> Policies -> Windows Settings -> Security Settings --> Restricted Groups
  4.
  Add your new Active Directory group to the Restricted Group
  Right-click the Restricted Groups folder and select "Add Group" to add your new Active Directory group to the Restricted Group. In the Group field, type the name of the newly created Active Directory group and click "OK"
  5.
  Add the Restricted Group to the local administrator group
  In the Restricted Group Properties windows click "Add" under the section titled "This group is a member of:" Type "Administrators" (without the quotes and yes it is plural), in the Group Membership window and click "OK"
  6.
  Wait for GPO updates to apply to the workstations
  Once your users receive their updated group policy settings every workstation within the OU you specified will have your new Active Directory group as a member of the local administrators group. If you need to force the GPO update on a specific workstation,
  run "gpupdate /force" in a command window on that workstation.
  7.
  Add a user or group of users to the Active Directory Restricted Group
  When you are ready, or in a position where you need to provide local workstation admin rights you can simply add the users or group of users to the Active Directory group that you created for use with Restricted Groups within your Active Directory Management
  Console.

• List users in local admin group on all workstations

  Hi, I created a script that is supposed to query workstations and list all users in the local admin group. I originally used "test-connection" for logging purposes but it caused an issues when the computer responded but dns was incorrect for
  that pc so i would get a false list of local admin members on that workstation. I changed to a wmi query instead and queried the system name using that so If the system name matched the workstation name being queried then write it is supposed to write to a
  csv. For some reason, when i use $wmi.name as the variable, it does not work. What am i missing?
      $CurrentDate = Get-Date
      $CurrentDate = $CurrentDate.ToString('MM-dd-yyyy_hh-mm-ss')
      import-module activedirectory
       $servers= get-content "C:\Scripts\AD Audits\Local Admin\workstations.txt"
       $output = "c:\temp\local admin audit $CurrentDate.csv"
       $results = @()
       $servers | ForEach-Object{
      $wmi = gwmi win32_ComputerSystem -ComputerName $_ -ErrorAction SilentlyContinue
      $connected = Test-Connection $_ -Count 1 -Quiet -ErrorAction SilentlyContinue
      $state = if($wmi.name -eq '$_') {"$_ Verified"} else {"$_ did not respond"}
      $state | Out-File -Append "c:\temp\LocalAdmin log $CurrentDate.txt"
      $group =[ADSI]"WinNT://$_/Administrators,group"
      $members = $group.Members() | ForEach-Object {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_,   $null) }
      if($wmi)
         New-Object PSObject -Property @{
             DistinguishedName = (Get-ADComputer $_).DistinguishedName
             Server = $_
             Members = $members -join ";"
      } | Export-Csv $Output -NoTypeInformation

  I agree use GP it is more reliable and easier to manage.
  For the sake of demonstration of how this can be don here is how most of us would be likely todo this or a very close variation.
  There is no issue with using Test-Connection and DNS.  AD/DNS cannot have the wrong names or your domain would crash.  Using Get-AdCOmputer instead of a file eliminates stale information.
  $csvfile="c:\temp\local admin audit $([DateTime]::Now.ToString('MM-dd-yyyy_hh-mm-ss')).csv"
  import-module activedirectory
  #adjust Filter as needed
  $adfilter='OperatingSystem -like "Windows 7*" -or OperatingSystem -like "Windows XP*"'
  Get-AdComputer -Filter $adfilter |
  ForEach-Object{
  $props=@{
  Server=$_.Name
  IsAlive=$false
  DistinguishedName=$_.DistinguishedName
  Members=$null
  if(Test-Connection $_.Name -Count 1 -Quiet){
  $props.IsAlive=$true
  $group =[ADSI]"WinNT://$($_.Name)/Administrators,group"
  $members=$group.Members() |
  ForEach-Object{
  $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
  $props.Members=$members -join ";"
  New-Object PSObject -Property $props
  } |
  Export-Csv $csvfile -NoTypeInformation
  Use GP and you won't have to be bothered with all of these techy details that usually require a Network Admin to sort out.
  ¯\_(ツ)_/¯

• Add Local Users to the Local Admin Group

  I am looking either via GPO or Third Party Tool.  I would like to add 6 Users to the Local Admin Groups on all the computers running Windows 7/8.  I want to Create a Group called "OUR Local Admins" and add these 6 local users (Not domain
  Users) to this Group and then nest this Group into the Local Admin Group Built-in into Windows 8
  Thank u

  > local users (Not domain Users) to this Group and then nest this Group
  > into the Local Admin Group Built-in into Windows 8
  You cannot nest local groups.
  Greetings/Grüße,
  Martin
  Mal ein
  gutes Buch über GPOs lesen?
  Good or bad GPOs? - my blog…
  And if IT bothers me -
  coke bottle design refreshment (-:

• Adding a domain user to Local Admin Groups using MDT 2012

  I don't know if this will help anyone, but it did me after weeks of searching.  If you are trying to add a domain user or domain groups to the local administrators group using MDT, simply go to the cs.ini and add "SkipAdminAccounts=No". 
  But the administrators accounts page will only appear if you choose to join a domain. 

  Correct, if you were to go into the %DeployRoot%\Scripts\DeployWiz_Definition_ENU.xml file you would see the entry for the DeployWiz_AdminAccounts.xml page as follows:
  <Pane id="AdministratorAccounts" reference="DeployWiz_AdminAccounts.xml">
  <Condition><![CDATA[ UCase(Property("SkipAdminAccounts")) = "NO" and UCase(Property("DeploymentType"))<>"REPLACE" and Property("DeploymentType")<>"CUSTOM" and Property("JoinDomain") <> "" ]]></Condition>
  </Pane>
  Most Wizard Pages are displayed by default, and you can turn them off by using the SkipXxxXxxxxx Page variable to hide them during wizard execution. This page is different, since it was added for MDT 2012, the MDT team decided to leave it *OFF* by default,
  instead you must explicitly turn off the SkipAdminAccounts variable by setting it to "NO".
  Additionally, you would not need to display this page if you were running a Refresh or a Custom Task Sequence.
  Finally, this page does not actually *create* accounts, instead it just adds pre-existing user accounts and adds them to the local Administrators group. This scenario is only valid when you are joining the machine to a domain, so you must Join to the Domain.
  If you are interested in adding other local users to the Administrators Group, you should write a script to create the account(s) and add them to the local group. Windows 8.1 has some *gotchas* that have to do with Microsoft Accounts, but that's a different
  Story :^).
  Keith Garner - keithga.wordpress.com

• Is it possible to disallow RDP for one member of local admins group?

  Hello:
  I have an application server which has a service account that is in the local admins group. Is it possible to disallow only that particular service account from being able to RDP into the server? Server is Windows Server 2003 SP2. Basically, I'm trying to
  bypass this: Members of the local Administrators group can connect even if they are not listed. I understand that anyone using the service account could undo any restrictions I make, so what I'm trying to do would just be
  a deterrent. I cannot disable RDP altogether since our regular sys admins need to be able to RDP into the server. Thank you.

  What if you specified the user and denied them rights to RDP to the server.  A deny overrides every other permission, and if you can do this, then only that one user would not be able to RDP into the server, but other admins would be able to. 

• Service accounts adding to Local admin group

  Hello Everyone,
  What are the risks with adding SharePoint service application service accounts to local admin group.
  I see in many Microsoft blogs not to use farm account to create service application and better to use dedicated service account but i didn't see any articles why we shouldn't add dedicated service accounts to local admin group
  I am facing some GPO issue and one my friend suggested to add service accounts to add local administrator group to fix this issue but i am not sure what the risks behind it. 
  Please let me know if you aware of risks.
  Thanks S

  The basic is that it increases your attack surface. If the service (and this goes for any application regardless of vendor or platform) has elevated access to the underlying system (e.g. Local Administrator, SYSTEM, root, and so forth) and that service is
  compromised, there is the possibility that the entire server would be compromised.
  Clearly, this is not a good situation.
  Having said that, there are two scenarios where a service account in SharePoint must be a Local Administrator:
  If you're running the Claims to Windows Token Service (C2WTS) as a Domain User. This account requires Local Admin.
  If you're provisioning the User Profile Sync Service, the Farm Administrator account must be a Local Administrator during the provisioning process (reason being is that it makes calls to the SAM).
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Need to Query Local Admin Group

  I wrote (copied) some PowerShell code that will add a Domain User to the Local Admin Group using ADSI.  
  $GuestPC = "WinNT://DOMAIN/UserName,user"
  $AdminGroup = [ADSI]("WinNT://"+$env:COMPUTERNAME+"/administrators,group")
  $AdminGroup.add($GuestPC)
  I want to add an If - Else statement to check if the Domain User is already in the Administrators group.  
  I found this code:
  $members = @($AdminGroup.psbase.Invoke("Members"))
  $members | foreach {$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
  This code actually lists the members of the Administrators Group.  Maybe its early or I did not get enough sleep, but I cannot figure out how to just query the Administators group for $GuestPC and if it is there don't do anything, but if it is not there
  add it using the above code.  
  Something easy for someone out there I hope?
  Matt
  Matt Dillon

  Finally found the answer on Google.  Just need to add -cnotcontains "GuestPC" in side a If-Then
  Matt Dillon

• Powershell add group to local admin group

  how do I remotely use powershell to add a domain group to the local admin group on a machine?
  thanks

  When using above, I got:
  [DBG]: PS C:\>> $remoteComputer = 'xxx.xxx.xxx.xxx'
  [DBG]: PS C:\>> $groupname = 'Admin-Group'
  [DBG]: PS C:\>> $fqdn = 'subdomain.domain.com'
  [DBG]: PS C:\>> ([ADSI]"WinNT://$remoteComputer/Administrators,group").Add("WinNT://$fqdn/$groupName"):
  Exception calling "Add" with "1" argument(s): "Access is denied.
  At line:1 char:1
  + ([ADSI]"WinNT://$remoteComputer/Administrators,group").Add("WinNT://$fqdn/$group ...
  + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  + CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  + FullyQualifiedErrorId : CatchFromBaseAdapterMethodInvokeTI
  I am wondering how $remoteComputer authenticate?

• How to add first log on user to local administrator group

  Hi All,
  When first time user log in to system, i need to add that particular user to local administrator group?
  How to achieve it using vbscript?
  Thanks
  Divakar

  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯
  It is also now against federal law in the US, Canada and, I believe, the UK. 
  In the US HIPAA and the federal network security act (???) and Sarbanes-Oxley all prohibit users running as Admins.   This may not specifically affect your
  installation but it does show how important this is.
  There is NEVER a good reason to make a user an administrator.  It is only lack of technical know how that leads to this scenario.  Any vendor product that
  requires this is not a safe product to use in a corporate network.  Malware specifically looks for this as an attack vector.
  I spent three years arguing with Inuit to get there software to work.  Every time they said you have to run as an admin I told them it would never be.  We
  were always able to find a way.  Now QuickBooks installs as a standard user with no issues.
  It can be done.
  ¯\_(ツ)_/¯

• User Accounts in Domain Admins group do not have full administrative rights to the server

  Our server was fine until recently one day we lost admin access for admin user accounts. If we log in to the server with the Domain Admin account, this account has full admin access to the server and can install and launch all programs and even all server
  admin tools. If we log into the server with a user account which is in the Domain Admins group, that account cannot install software or launch Services.MSC. Even IE will not load any page and crash with a "Not Responding" Error.
  The server has no viruses we even ran SFC /SCANNOW and it did repair from corrupted files but that didn't fix the issue.
  Any ideas?

  Hi Rick,
  May be UAC is blocking installtion. Have it disabled and see if it helps.  Ensure you have domain admin groups added into local administrators group.
  Alos Check these links please.
  https://social.technet.microsoft.com/Forums/en-US/b5300f28-6a2a-4760-8b80-97a2da0f87c1/2012-domain-admin-user-cannot-install-programs-on-a-domain-windows-7-pc?forum=winserverDS
  https://social.technet.microsoft.com/Forums/en-US/0ca040de-52ac-4259-bf78-c22436fd04d4/domain-users-with-domain-admins-right-cannot-install-programs-or-open-server-manager?forum=winserverDS
  Thanks,
  Umesh.S.K

• Adding users in Local Administrators Group using GP Restricted Group

  Hi Experts.
  I have approx 200 servers. There are user1, user2 and user3 which I have added in
  Local Administrators Group using GP Restricted Group in all 200 servers. This works fine. In Add Group option I added "Administrator" and Added user1, user2 and user3 in "Members of this Group". Now all 3 users are reflected as a Local
  Administrators member.
  Now there is a need that user 4 should be in Local Administrators Group using GP Restricted Group for certain servers only. Lets say 50.
  In Add Group option I added "Administrator" and Added user4 in "Members of this Group". BUT it doesn't work.
  Any idea?
  Regards Suman B. Singh

  Hi,
  How is it going? I agree with Martin. To do this, we can configure the setting in two different GPOs. For instance, in GPO1, we add user1, user2, and user3 to the local admin group; in GPO2, we add user1, user2, user3, and user4 to the local admin group;
  and then we can use Security Filtering to apply the specific GPOs to specific computers.
  Regarding security filtering, the following article can be referred to for more information.
  Security filtering using GPMC
  https://technet.microsoft.com/en-us/library/cc781988(v=ws.10).aspx
  Filter Using Security Groups
  https://technet.microsoft.com/en-us/library/cc752992.aspx
  Besides, in addition to Restricted Groups, we can also use Group Policy Preferences Local Users and Groups to do this, in which way we can configure two Local Group items in one GPO and utilize Item-Level Targeting to apply the specific items to specific
  computers.
  Regarding GPP Local Users and Groups, the following article can be referred to for more information.
  Configure a Local Group Item
  https://technet.microsoft.com/en-us/library/cc732525.aspx
  How to use Group Policy Preferences to Secure Local Administrator Groups
  http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
  Regarding Item-Level Targeting, the following article can be referred to for more information.
  Preference Item-Level Targeting
  https://msdn.microsoft.com/en-us/library/cc733022.aspx
  Best regards,
  Frank Shen

• Users Admin Group in WS 2012

  Recently users got deleted from Admin group in the windows server 2012, is there any tracking enabled or how do I check when it was deleted and how deleted.
  I have gone thorugh security audit logs but could not find much information. please help.
  Thanks, Ram Ch

  Hi,
  If the auditing is not enabled for such changes that you won't see anything logged in the security log.
  http://www.windowsecurity.com/articles-tutorials/windows_os_security/Auditing-Users-Groups-Windows-Security-Log.html
  Basically you would need a GPO (if you are in AD domain) and enable "Audit Account Management" for success/failure if you want to see both type of changes. The GPO should be linked to where you have your servers/workstations placed (organizational
  unit).
  If you want to see changes on the domain security/distribution groups then the same GPO setting would be linked to Domain Controllers OU. Yo ucan either configure the default domain controllers policy or create a new one for this.
  Hope this helps.
  Regards,
  Calin

• I have two users listed in my admin group. How do I get rid of one?

  I have two users listed in my admin group, but the undesired one doesn't show up in users and groups settings pane. How do I get rid of it?

  Well, I found a link which showed me how to find the hidden/unwanted user and get rid of it (remove hidden users: Apple Support Communities). Now when I get info from the drive on my network I find this:
  Is this normal? I would expect to find something other than (unknown).